“Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.”

~ Paul L. Kirk, forensic scientist

One of the foremost axioms of forensics, digital or otherwise, is Locard’s Exchange Principle. Simply put, this principle, formulated by Dr. Edmond Locard (known in his time as “the Sherlock Holmes of France”) states:

“Every contact leaves a trace.”

These traces are the tiny pieces left behind that we forensic investigators use to help determine in a given situation what happened, where it happened, who it happened to, when it happened, and how it happened, and who did it.

As Paul L. Kirk, one of the seminal minds in the field of forensic science, famously laid out in the quote above, these traces can’t lie. They can only be misunderstood or ignored*. You can think of traces as signposts leading to the truth. Follow them accurately and you’ll get there. Overlook them, take the wrong turn somewhere, make the wrong conclusion at some point in your investigation… and wherever you end up, it probably won’t be with the correct answer to the questions you need to have answered.

*Well, many of the traces that were considered ironclad in his day, like hair fibers, aren’t quite as authoritative in the modern forensic science scene as they were decades ago. The traces don’t lie, but their significance and the conclusions they lead to can be over- and understated to an investigator’s detriment. This is an idea we should keep in mind with digital evidence artifacts as well. In the ever-changing world of technology, what is true today may not be tomorrow, and the weight or importance of various artifacts can change over time.

In digital forensics, we aren’t dealing with footprints and hair fibers. Modern physical forensics doesn’t even deal with hair fibers anymore, now that we know how much more reliable DNA is as evidence. At least, we don’t deal with footprints in a literal sense. We have a different set of traces to track on our way to the truth, and we call these traces artifacts.

What Are My Favorite Artifacts?

Like the footprints, DNA, fingerprints, or the blood Kirk’s example criminal left behind in the quote of his I put at the beginning here, forensic artifacts are the digital equivalent–the things left behind unintentionally, unconsciously, often invisibly, that help us get to the bottom of an incident. Things like registry keys, files, timestamps, and event logs are the traces we follow in our line of work.

In the coming months, I’ll be taking a deep dive into some of the forensic artifacts I see in my investigations that I find the most useful, the most interesting, or both. Here are just a few of the artifacts I’ll be covering in this blog series:

Smartphone User Dictionaries

Smartphone Context Log-0 (Samsung)

SQLite database files (look for my first book review here!)

$Logfile Artifacts

Link Files

Shell Bags

Prefetch Files

Amcache Artifacts

Other totally cool stuff

I’ll also delve into some of the unique properties of flash memory and what sets it apart from the traditional spinning disk storage media we’ve all come to know and love over the past sixty years in terms of the artifacts it creates and the unique challenges and opportunities it creates for us.

I can’t wait to get to the next installment, and I hope you can’t, either!

Triplet Unicorn Pwnys. We made them identical in every way, including their Serial Number.

“The truth is rarely pure and never simple.”
~ Oscar Wilde, The Importance of Being Earnest

Myths and Legends:

This past week, I spoke at the eleventh SANS DF/IR Summit (and oh, what a great summit it was!) about “Ground Truth” in digital forensics. My topic was about those things we take for granted – hardware, firmware, and the “truths” we are taught about imaging and forensic artifacts versus the more-complex realities I have come to realize after working side-by-side with a great data recovery company. Normally, I try to do a recap of the SANS summit, and this year’s summit had excellent content! But, this year I got more than a little bit side-tracked by some really cool “hallway-con shenanigans.”

In saying this, I am NOT telling you that I was goofing off. Quite the contrary. But it is accurate to say I was horsing around a little.

Before the summit, my good friends Matt Linton (Chaos Specialist for Google) and Ryan Pittman (Resident Agent in Charge, Computer Crimes Division, NASA OIG) asked if I would be on standby to assist with their tabletop exercise during the summit. Of course, I agreed. Matt put together his “Evidence USB” for the tabletop exercise. He then produced ten copies of the data to pass out to participants on ten legendary Unicorn USB thumb drives.

As he was creating the devices, Matt messaged Ryan and me commenting that the USB devices seemed “shady” because they presented to the Windows OS with the following information:

Vendor: VendorCo

Product: ProductCode

This is just the sort of mystical and mythical information about firmware and hardware my summit talk was focused on! Convergence of topics is almost never a bad thing, and in this case, it started a great conversation and led to some very cool collaborative testing.

USB Hardware, Counterfeit USB Devices, and Firmware Mayhem:

USB thumb drives may look alike at the surface, especially with their outer coverings intact. But if you take a closer look at their hardware, you can find all sorts of very strange inner parts. The data recovery side of Gillware sees this all the time.

Yup. That’s a thumb drive… made out of a Micro SD card.

We’ve seen Micro-SD cards pasted to thumb drive boards, iPhone memory chips used inside brand-name thumb drives, and different combinations of memory storage chips and processors used within the same manufacturer lots of devices. While at the surface the devices look the same, what’s under the covers may be completely different. Many USB thumb drives are literally made up out of mixed-up parts hardware-wise.

Once the hardware is put together, the manufacturer flashes the firmware of the device to provide the USB device with its identity. There are firmware flashers for all of the various brands of controllers, and they’re fairly easy to find and download. Counterfeiting a USB device to replicate a more expensive brand name or to falsify the size of the device is all too common. Again, the data recovery side of Gillware sees this all the time.

Someone buys a large capacity thumb drive on E-Bay for an unbelievably good price only to discover that while the reported size of the device is that large, the actual size of the device is much smaller. The ultimate result is data loss. Not only did the seller lie to them, but the firmware was also programmed to lie to their computer’s operating system about the size of the drive.

Here’s a thumb drive with a memory storage chip more commonly seen in an iPhone.

So What Does This Have to do with Forensics?

So it’s clear that thumb drives aren’t always as they’re advertised. In our pre-summit chat, I let Matt know that we could manipulate the “unique” unicorn thumb drives to be whatever he wanted them to be by flashing their firmware. Matt and Ryan wanted to try this, of course, and so Matt sent me pictures of the internal components of one of the unicorns, and I sent him a link to the appropriate firmware flasher. Once at the summit, we pooled our brains, and along with Adam Nichols, Security Engineer for Google we went to work on Matt’s herd of ten “evidence” unicorns.

While the outsides of the unicorns look the same, the insides sure don’t.

Right away we found that while all of the unicorns looked the same on the outside, they were different animals internally. Of the first handful of Unicorns we pulled apart, we found two different combinations of controllers and memory storage chips. After several exploratory surgeries, we settled on three Unicorns for further testing. We named them Howard, Fargo, and Fillmore.

These three ponies (or pwnies, if you will) had the same brand of controller. Using the flashing software, we changed the identifiers in the firmware so that the USB drive manufacturer was listed as “Bad Product,” the serial number was “1BADHORSE”, and the volume name was “BADHORSE.” (Yes, Doctor Horrible Singalong Blog fans, this was an intended nod.)

Registry Comparison, Pwny Express:

We flashed Howard, Fargo, and Fillmore with exactly the same information, and then did some testing to see what registry artifacts they would leave behind. Would Windows see the USB devices as unique? Could we plug in multiple USB thumb drives with the same serial number into the same machine at the same time without a blue screen? Would they be assigned a unique GUID so that we could identify the activity of each USB drive in a hypothetical forensic examination? After all, forensic artifacts never lie, right?

Then, using a fresh Windows 7 Virtual Machine (you could use the SANS SIFT Workstation), we did the following:

Use regshot to create a snapshot of the registry from a clean Windows 7 Operating System (SANS SIFT VM)

Insert Howard the Unicorn USB and create a snapshot of the registry

Restore the VM snapshot

Insert Fargo the Unicorn USB and create a snapshot of the registry

Restore VM snapshot again

Insert Filmore the Unicorn USB and create a snapshot of the registry

Restore VM snapshot again

Load the clean registry snaphot for comparison against Howard, create a snapshot, and save output

Restore VM snapshot again

Load the clean registry snapshot for comparison against Fargo, create a snapshot, and save output

Restore VM snapshot again

Load the clean registry snapshot for comparison against Filmore, create a snapshot, and save output

Convert output of the regshot compare of all 3 files from utf-16 to utf-8:

iconv -f utf-16 -t utf-8 file.in >> file.out

Pull out and uniquely sort all registry keys that contain the word “horse”:

cat ./file.in | grep -i horse | sort | uniq | sort -rg >> file.out

Check for differences in the comparison files (- diff files)

And… there were no differences between the three devices in the Windows Registry.

Filmore, Fargo, and Howard: A Side by Side comparison of registry differences.

“Unique” Windows Container IDs:

The Windows Operating System assigns “unique” container ID to an inserted USB Device based upon a hash of the USB serial number of the device, or a randomly generated value if the USB device has no serial number. According to their documentation, Windows bases assignment of the container ID on information that is contained within the device. If the information on the device is altered via a firmware flash, Windows still trusts what it reads. It will produce the exact same container ID for USB devices that have identical serial number identifiers.

The ramifications here are clear. It is possible for multiple USB devices to leave behind forensic artifacts that appear to be generated by a single unique device. Associated forensic artifacts such as link files, shell bags, and USB related registry values can’t know the difference because the firmware in the attached device is lying to them.

Matt, Ryan, Adam, and I are most certainly not the first to discover firmware manipulation. And, firmware manipulation can be used not only to fraudulently change the reported size of a device, or as an anti-forensics technique to cover up data exfiltration, but also for malware attacks such as BadUSB. If you want to know more, here’s a recent list from Bleeping Computer of no less than 29 ways to use USB devices in attacks. We will continue researching firmware manipulation and it’s various ramifications to the forensic artifacts we all rely upon, and you may see us speaking about this topic next year at the SANS Summit. In the meantime, keep your mind open for the various explanations that might lead to the artifacts your tools report to you. In other words, trust, but verify.

Other Goodness From Hallway-Con – #DFIRJAM:

As you may remember from last year, Ryan, Matt, and I collaborated on a paper and a talk at last year’s SANS DF/IR Summit called Beats & Bytes: Striking the Right Chord in Digital Forensics. Our talk culminated in a pretty good rendition of Wagon Wheel played by six DF/IR professionals who had never performed or played together before. As far as live demos go, it was high risk but there were no glitches! Unfortunately, Matt wasn’t able to be there, so this year, we brought back the music at break times. Here, for your listening pleasure, is a version of Blackberry Blossom with Matt on his grandmother’s 200-year-old Stradivarius style cello, Cindy on her Luis and Clark carbon fiber cello, and Ryan on his Deering Good Time Zombie Killer 5-string banjo.

]]>https://www.gillware.com/forensics/blog/articles/counterfeit-usb-devices-antiforensics/feed/3How to Prevent the Worst Monday Imaginablehttps://www.gillware.com/forensics/blog/best-practices-and-tips/how-to-prevent-the-worst-monday-imaginable/
https://www.gillware.com/forensics/blog/best-practices-and-tips/how-to-prevent-the-worst-monday-imaginable/#commentsThu, 24 May 2018 17:31:17 +0000https://www.gillware.com/forensics/?p=9631For most people, Friday is the start of their weekend. At Gillware Digital Forensics, it’s actually the start of our work week. Why? Because it’s the […]

]]>For most people, Friday is the start of their weekend. At Gillware Digital Forensics, it’s actually the start of our work week. Why? Because it’s the start of the work week for the people who are attempting to intrude on and attack your systems.

At Gillware, nearly every data breach investigation and response case has the first malicious action conducted on a Friday evening after everyone has started their weekend. If you’ve been unlucky enough to have to deal with a system that fell victim to a ransomware attack, you probably discovered the encrypted data first thing Monday morning.

Talk about a case of the Mondays.

How to Stop Data Breaches… Before They Happen

In most data breaches and intrusion events, you can find indicators of compromise before any malicious actions, such as data theft, malware deployment, internal password phishing attempts, etc., have even taken place—if you just know where to look.

Office365 login audits:

If you use Office365, as many offices do, and have admin audit logging enabled, you can check the logs for any sign of account compromise. It’s a near-certainty that hacker will test the login credentials they’ve gleaned days or even weeks in advance before they take any real malicious actions if one of your users has fallen victim to a password phishing scam.

If you view the logs before the malicious action took place and find suspicious activities such as:

Setting up malicious email forwarding rules

Sending phishing emails to co-workers and clients

OneDrive and SharePoint data compromises

Then you’ve discovered evidence of a breach-in-progress.

If you see any of these kinds of malicious access, contact Gillware Digital Forensics ASAP. We can help you eliminate the breach and determine if the hackers have done any further malicious actions.

To check for these kinds of malicious probing:

Log into your Office365 Admin account.

Go to the “Security and Compliance” App.

Go to Search and Investigation > Audit log search.

Set the start date as far back as you can, typically 90 days.

Find items that indicate that the Activity indicates “UserLoggedIn” and “UserLoginFailed.”

Most events in Office365 will include the IP address that they were initiated from. These IP addresses can be searched on websites like https://whatismyipaddress.com/ip-lookup to find out where this IP is coming from. If you see IP addresses from locations that you would not expect logins to come from, or you see numerous failed logins, this can be an indicator of compromise, or an indicator that you are at risk.

Domain Controller Logs for RDP Access:

Many malicious acts are conducted through the millions of computers that have RDP ports that are accessible from outside the network without VPN or other security measures. Many RDP usernames and passwords are for sale on the dark web. If your users remotely access their workstations through any port via RDP, even if it’s not the default port, your systems are likely at risk. Fortunately, you can view Windows Security Event logs to determine if any accounts have been compromised. If you use RDP without a domain controller, you will need to view the security logs on each workstation.

How to View Event Logs Related to RDP Logins on the Domain Controller:

Edit query manually box in the Windows Event Viewer

Open Windows Event Viewer

In the left column, go to Windows Logs and Click on “Security” to view the security log.

In the right pane, click “Filter Current Log…”

Click on the XML tab in this same window, here is where we can filter to only remote desktop logins.

Click on the “Edit query manually” box and click “Yes” if prompted that you will no longer be able to change the filter with the GUI.

In the XML text box, replace the text with the following query, which will show us successful and failed RDP logins:

Now you should be able to see RDP failed and successful logins like the one below (assuming that you use RDP):

RDP logon event log

In the image above depicting the successful login, the most important piece of information is the Source Network Address. The Source Network Address is the IP address that the login comes from. If you don’t allow RDP access from outside your local network, then these will all be local IP addresses. However, if you used RDP from outside the network without requiring VPN, these logins will be global IP addresses.

Two Suspicious Events to Look For In Your Domain Controller:

Repeating Event ID 4625s: This event denotes a failed login attempt. In many ransomware cases, we see a pattern of these events that could indicate a brute-force password cracking attempt. These are especially concerning if the IpAddress field is blank or a “-”.

Windows Event ID 4624: This event denotes a successful login attempt. In the Windows security logs, Event ID 4624 has a logon type showing how the user is connected, with a logon type of 10 indicating RDP access. The RDP access will have an IP address field in it which indicates where the user is accessing the computer from. Similarly to the Office365 logs, https://whatismyipaddress.com/ip-lookup can be used to identify the location of the IP address. If you see any malicious 4624 events from locations such as foreign countries that you do not have users in, this is an indicator of compromise, and a breach is currently occurring.

Take Suspicious Events Seriously

In most of our breach investigations, the victim identifies suspicious activity after the fact. For example, after we tell the IT staff that a specific user was “Patient Zero” of the breach, they go back into their ticketing system and find that before the breach occurred the user reported abnormal operation of their computer, such as:

Suspicious emails clicked by the user

Suspicious popups asking for credentials

The computer’s language switching to Russian or other foreign languages

The computer logging off randomly

The computer running slowly and high processing activity occurring

Etc.

It’s hard to stay on top of all the issues reported to your IT staff every day. However, some of these reported issues can be indicators of compromise and need to be addressed posthaste to prevent further damage.

Make Sure You Have a Cloud Backup

Most of the data loss incurred due to ransomware can be avoided by having an offsite cloud backup that is not easily accessible from any of the computers/servers on your network that could fall victim to ransomware. Too often we see an organization’s backups stored on a NAS device attached to the compromised computer or server in question. If you’ve stored your backups on a NAS that is currently mapped to a computer or server, and that computer or server get ransomed, your backups will get deleted or encrypted as well.

Ransomware has always evolved to make infections more difficult to recover from without paying the hackers. Modern ransomware even runs software that will clear the free space on the devices it infects, which makes recovery of the deleted backups impossible in these situations.

Keep Us In Mind

Even the most vigilant people can’t catch 100% of the threats that come their way. You should always do the best you can to protect yourself, but for anything that sneaks through, you can always count on us here at Gillware Digital Forensics to help you make things right again.

Wow! Two years have come and gone here at Gillware Digital Forensics. Two years since I made the jump from a decades-long career in law enforcement to the unknown realm of the private sector. I had so many anxieties while deciding whether or not to take this leap of faith and help found Gillware Digital Forensics. So many of those anxieties melted away after just the first month.

In the past two years we’ve encountered so many incredible forensic situations to resolve (including many of the same types of cases I saw while working for the Madison Police Department) and while working together so closely with the engineers in Gillware’s data recovery lab we’ve accomplished things—like chip transplants for mobile phones—nobody thought could be done practically (if at all). You’ve already read about all of the most exciting adventures I’ve had over the past two years on my blog (the ones we’re allowed to blog about, at least)!

Starting in June, I’ll be kicking off a new monthly series on my blog, “My Favorite Artifacts!” Each article in the series will discuss one of the more interesting types of forensic artifacts I encounter in my line of work, shedding light on some of the coolest stuff we forensicators get to wade through when we dig into the mobile phones, computers, servers, virtual machines, and all the other devices our clients bring to us.

So… here’s to two years of Gillware Digital Forensics—and to many more in the future!

]]>https://www.gillware.com/forensics/blog/articles/happy-2nd-birthday-gillware-digital-forensics/feed/0Case Study: Tech Support Scams and the Real Threat of Data Breacheshttps://www.gillware.com/forensics/blog/data-recovery-case/tech-support-scams-data-breaches/
https://www.gillware.com/forensics/blog/data-recovery-case/tech-support-scams-data-breaches/#respondFri, 27 Apr 2018 17:23:24 +0000https://www.gillware.com/forensics/?p=9594A data breach that only leaks your email address and phone number might seem trivial. But here’s a look at how hackers can exploit you with […]

]]>A data breach that only leaks your email address and phone number might seem trivial. But here’s a look at how hackers can exploit you with even a little bit of your personally identifiable information. In this case, we see how little data you need to pull off Tech Support Scams.

Not all data breaches are created equal. Some leave you with your Social Security number and credit card information exposed for the whole Dark Web to see. Some merely hand over your phone number and email address. When hackers breach a service you use, and the service assures you, “it’s okay, we don’t store your passwords in plaintext or your credit card numbers,” you might breathe a sigh of relief. However, even a fraction of personal information can leave you more vulnerable than you might imagine.

The Real Threat of Data Breaches

So they get your phone number, you might think. A few more annoying calls to deal with. Nothing an anti-spam mobile app like Mr. Number can’t help you cut through. So they get your email address. A few more emails offering “male enhancement” pills in your inbox. Annoying, but harmless.

If you think this way, you’re not thinking like a scammer. You’re not thinking like someone who wants to wring as much out of you as possible and will do so with whatever they have at their disposal and by any means necessary. One of our recent forensic cases here in our lab demonstrates what a group of cons can do to you with just your phone number and your email address.

What Are Tech Support Scams?

You’ve seen this scenario in just about every heist movie ever made:

The plucky gang of thieves needs a way onto their target’s property so they can case the joint. Sneaking into the place in black jumpsuits and ski masks at midnight is out of the question—at least for now. So what are they to do? Disguise themselves, of course—as janitors, exterminators, or if they’re feeling particularly bold, cops or security guards.

When Remote “Helpers” Hinder

One such scam is the technical support scam. For this type of digital heist, the scammers claim to be tech support for well-known, reputable companies such as Microsoft and Apple. They will claim to have detected malware on your computer and offer to fix it for you… but you have to give them remote access to your computer. This request on its own doesn’t sound unreasonable. Legitimate tech support agents from places such as Geek Squad do use remote assistance tools to help people with issues.

Remote support tools like GoToAssist have benevolent uses, and there is no danger in using them with legitimate tech support professionals. However, like any tool, they can be used for ill as well as good.

Remote access is facilitated by software tools such as TeamViewer, Splashtop, FixMe.IT, and GoToAssist. Following the scammers’ instructions to install the software and connect it to their network will let them onto your computer, giving them free rein to run their bogus malware scan (usually planting malware of their own in the process). Once they have gotten what they want out of you, they charge you a hefty fee for their “services.”

As one of our clients learned the hard way, unfortunately, you don’t need much more than a phone number, an email address, and a bit of luck to pull off this kind of scam.

Timeline of a Tech Support Scam

Our client, the victim in this case (we’ll call them Vic for short—obviously not their real name) received several voicemails one day calling about a computer security issue. Vic called back, if only to stop getting the calls, and ended up speaking to someone claiming to be a tech support agent from AppleCare. The alleged technician told Vic they had detected a security breach on their iPhone and laptop due to corruption through their iCloud account. All of this sounded convincing enough to Vic.

But just to seal the deal and make sure the whole tech support thing sounded really legit, the scammer told Vic to check his PayPal. Lo and behold Vic discovered an unauthorized $500 charge! I’ll give you three guesses as to who was responsible for that, and the first two don’t count—this attack was likely facilitated by the attackers having Vic’s email address and Vic having a weak, easily-guessable password and no multi-factor authentication enabled.

The First Attack

Nathan and Will stage an example of common tech support scams like the one our client “Vic” fell for.

With Vic assured of the tech support agent’s benevolence now, they agreed to install and run GoToAssist. This application requests an ID for the individual who wishes to access your computer, and upon entering the ID, the corresponding individual (in this case, our scammer) gains full control. Vic could see what the attacker was doing, but the attacker would have made it appear to them that all of their use was legitimate.

While remotely controlling Vic’s computer, the scammer opened Notepad and used it to ask questions and make observations, including claiming that over fifteen hackers from various countries had compromised Vic’s computer and phone.

Before the scammer continued with the “remote support,” they informed Vic that since they were not an AppleCare subscriber, they would have to pay $300 before the scammer could run necessary anti-malware scans to protect the client’s data. Of course, paying with a charge card would be dangerous—after all, with the computer compromised, the “hackers” could intercept the payment! Instead, poor Vic was directed to buy $300 worth of iTunes gift cards and scan them to the scammer.

With the payment taken care of, the scammer began to run an “anti-malware” scan. Vic was instructed to leave the computer alone while the scan ran its course. The scan took about several hours. In total the GoToAssist connection lasted about eight hours. After the scan finished, the client put their computer to sleep as instructed.

The Scammer Strikes Again

The next day, the scammer called back, telling Vic they had to run another scan. Vic began another remote support session which lasted about five hours. Afterward, however, Vic grew suspicious. Calling AppleCare, Vic discovered that the so-called tech support agent who’d been helping them was indeed a fraud. They called Geek Squad, a tech support service they had prior experience with and trusted, and asked them to do a remote check. Geek Squad found no malware on Vic’s computer or phone, which begged the question… what had the scammer been doing for all those hours?

Uncovering Data Theft

Vic came to us to investigate just what was it the scammer had been doing while they had free rein over their computer. We discovered that the attacker had made liberal use of a feature of GoToAssist allowing them to transfer files from one computer to the other.

Forensic artifacts were found showing that the executable files related to this file transfer mechanism had been run. However, GoToAssist left little artifacts behind showing the extent of the breach and how much data the scammers had transferred. Given how long the attacker had access to the victim’s computer, we could make an educated guess that they likely copied over all the sensitive data they could find.

Picking Up the Pieces of a Tech Support Scam Intrusion

If our client Vic (not their real name) hadn’t wised up when they did, the scammers would have simply kept bleeding them dry as long as they could. When you’re willing to sink this low, you have no compunctions about wringing as much as you can from your victims.

We could not undo the damage already done. But we could make a few suggestions for ways our client could prevent themselves from coming to further harm by the people who’d already taken advantage of them:

Change every single one of their passwords and enable two-factor authentication, even the passwords for things not involved in the attack. This grocery list of passwords to mend includes email accounts, Office 365 accounts, banking accounts (including PayPal, Venmo, etc.), social media sites such as Twitter and Facebook, etc. Attackers using these remote support scams often look for and steal saved passwords to wreak further havoc. Use two-factor authentication whenever possible and never reuse passwords.

Reinstall Windows on their laptop. This action removes any chance of a persistent threat that would allow the intruder back into their computer. It would also remove any other nefarious actions by the scammers, such as the intruder setting up an email forwarding rule to gain access to the client’s inbound and outbound emails.

Monitor all online accounts for any further suspicious activity.

Request that Gillware Digital Forensics or another security company conduct a security review of any and all cloud storage systems that hold sensitive information, such as Google Drive, Dropbox, Office365, etc. to ensure that there were no file/folder sharing rules set up that would compromise any additional data.

Discerning Fakes from Real and Scammers from Helpers

Eighteenth-century satirist Jonathan Swift (author of “A Modest Proposal,” one of the world’s seminal works of political satire) once wrote that “Falsehood flies and the truth comes limping after it.” This sentiment feels even truer today than it did in his time with the speed at which false information travels and the distance it covers. We live in a crisis of reality. With the way data—and people—can find themselves manipulated by even the most brazen lies, knowing what’s real and what isn’t has become harder than ever.

And it’s not just that “fake news” you keep hearing so much about. As malicious actors grow bolder and craftier, it grows harder to discern legitimate resources from malevolent copycats. Those emails you get from “PayPal” claiming that there’s an issue with your account are getting progressively harder to see through as scammers get better at digital forgery.

Blurred Lines

For example, let’s take this case. After these malefactors had done their dirty work, our client Vic (not their real name) went to Geek Squad for a remote malware scan before they came to us. Our client actually used Geek Squad and had a relationship with their technicians already, unlike with AppleCare. Geek Squad used its remote tools to access the client’s computer and conducted their scans—legitimately.

When we took a peek at the client’s laptop to see the extent of the damage, we could see the forensic artifacts left behind both by the fraudulent AppleCare reps and the legitimate Geek Squad support team.

They looked very similar.

Geek Squad’s remote assistance tool is just like TeamViewer and GoToAssist, after all, albeit with unique branding. Under the hood, it is more or less the same software. Remote assistance software can and does have legitimate and illegitimate uses alike. But regardless of the motive, the software and the footprints it leaves are the same. What if our client had googled “Geek Squad support phone number” and ended up on a malicious site that gave them a scammer’s phone number instead of finding the legitimate Geek Squad support line?

The good news is that most scammers are still incredibly lazy and their tricks laughably transparent. The bad news is that some of them are getting better—a lot better.

As with navigating the media, you need ever more vigilance even when seeking help and assistance. The answer to avoiding scams is to slow down, take your time, and double-check everything.

No computer is ever going to ask a new, reasonable question. It takes trained people to do that.

– Grace Hopper

Feel free to reuse this image!

My Sheroes!

Today, March 8, 2018, is International Women’s Day. To mark the occasion, I want to celebrate some of the pioneering sheroes in the field of Information Technology. Without the accomplishments of these women, computing wouldn’t be what it is today. I wouldn’t have had the opportunities that I have had in Digital Forensics and Incident Response without them.

Ada Lovelace:

Ada Lovelace, daughter of poet Lord Byron and Countess of Lovelace, was a mathematician, logician, and writer who lived from 1815 to 1852. This is obviously well before the age of computing, but her work and vision about computational logic are foundational. As a teenager, her mathematical prowess resulted in a long-term working relationship and friendship with Charles Babbage, who is credited with inventing the first computer. She wrote what is widely recognized as the first computer program.

Ada Lovelace

Ada believed in “poetical science” and spoke to the importance of intuition and imagination as critical components in applying mathematical and scientific concepts. She explored the ways in which individuals and society could relate to technology as a collaborative tool and wrote about how numbers could be used to represent other things aside from quantity, including letters, musical notes, and other concepts. In this very fundamental way, Ada hugely impacted the future application of computing.

Edith Clark:

Edith Clark lived from 1883 to 1995 and specialized in electrical power systems analysis. She studied Mathematics and Astronomy at Vassar College. Edith later studied civil engineering at the University of Wisconsin (Go Badgers!) and spent her summers working for AT&T as a computor – a person who solves math equations. She also attended MIT where she earned her Master’s degree in Electrical Engineering. Edith had difficulty finding opportunities for women in her field and continued to work as a computor, for General Electric.

In 1921 Edith filed a patent for a “graphical calculator” to be used for solving complex electric power transmission line problems. Yep – that graphic calculator you loved so much as a nerdy high-schooler – you can thank Edith!

Also an adventurer, she traveled the world and taught Physics at Constantinople Women’s College in Istanbul, Turkey, and later taught Electrical Engineering in Austin, TX. Her accomplishments definitely qualify her as a pioneer both in electrical engineering and computing.

Hedy Lamar:

Hedy Lamar

Hedy Lamar was born Hedwig Eva Maria Kiesler on November 9, 1914, in Vienna, Austria. She was a successful, beautiful, and talented actress, and starred in a number of very well known films. Aside from her accomplishments as an actress, Hedy was a brilliant inventor. In 1942, she patented her idea for a “Secret Communications System”. Her idea involved frequency-hopping signal technology which would prevent signal jamming and detection. Hedy’s ideas are incorporated today in Wi-Fi and Bluetooth technologies.

Hedy’s idea was somewhat before it’s time, and wasn’t used during World War II because technology hadn’t caught up to it yet. Spread spectrum technology, Hedy’s idea, is now fundamental in radio and cell phone applications. Hedy once commented “Films have a certain place in a certain time period. Technology is forever.” Isn’t that the truth!

Grace Hopper:

“Amazing” Grace Hopper

“Amazing” Grace Hopper was born in New York City in 1906. During World War II, she was a mathematician and mathematics professor at Vassar College before joining the U.S. Naval Reserve where she worked on programming the Mark I computer. After the war, she led the team that created the first computer language compiler and helped to create the COBOL computer language. Grace was also part of the development team for UNIVAC, the first commercially available computer in the US. Hopper became a rear admiral before retiring in 1986.

One other really cool legacy left by Grace is the Computer Bug. The term “Computer Bug” was coined after she found a real bug inside a computer. Here’s an excerpt from her notes (looks like maybe a moth?):

Grace loved to share her knowledge, and once remarked “The most important thing I’ve accomplished, other than building the compiler, is training young people. They come to me, you know, and say, ‘Do you think we can do this?’ I say, “Try it.” And I back ’em up. They need that. I keep track of them as they get older and I stir ’em up at intervals so they don’t forget to take chances.”

Mary Jackson, Dorothy Vaughn & Kathryn Johnson

Mary Jackson, Dorothy Vaughn, and Kathryn Johnson were African American computors for NASA, featured in the recent movie Hidden Figures. They made the calculations that helped to successfully launch astronaut John Glenn into orbit. Each of these women is an inspiration in her own right, breaking through the various race and gender barriers placed in their paths.

Katherine Johnson began working for NASA in 1951. Her mathematical capabilities were extremely well trusted. NASA reported that in 1962, before the launch of the Friendship 7 spacecraft, John Glenn asked for her to re-check the computer calculated trajectory numbers. He reportedly said, “Get the girl, check the numbers. If she says they’re good, I’m good to go.”

Mary Jackson was NASA’s first black female engineer and enjoyed a productive career in engineering for almost two decades. In 1979, she took a demotion in order to serve as Langley’s Women’s Program Manager in order to work towards hiring and promoting the next generation of NASA’s female scientists, engineers, and mathematicians.

Dorothy Vaughn was head of the National Advisory Committee for Aeronautics’ (NACA’s) segregated West Area Computing Unit from 1949 until 1958 and was both a respected mathematician and NASA’s first African-American manager. During her career, Dorothy became an expert FORTRAN programmer as well as contributing to Scout Launch Vehicle Program.

Kaspersky recently published a study regarding young peoples career choices, finding that almost 72% of young people have decided their career paths by the age of 16. Men are more inclined to study pure sciences (49% versus 36% of women) or choose technology-based careers (21% versus 7% of women). Just a fifth (20%) of respondents were clear on what a cybersecurity expert does, including just 16% of young women respondents.

We must do as much as we can to support young girls and women in learning about the opportunities available to them in cybersecurity, digital forensics, and incident response careers. And once they choose this career path we must do as much as we can to support and recognize their achievements. Female role models are crucial to the future of our field.

And now, I’d like to recognize…

There is a growing number of amazing Women role models in Digital Forensics and Incident Response. Some of these role models are women I’ve known, worked with, and admired for years. Some I’ve only known or known for a short time. If you’re on this list, its because you’ve supported me in in my digital forensics career, either through your technical knowledge, advice, or by inspiring me directly. Some of you are shy. Some are precluded by their position from being directly recognized. All are incredibly talented, incredibly smart, and incredibly capable. I’m sure to miss someone, and I hope they will forgive my oversight and email me so I can add them to this list.

Each of these women is an amazing role model, actively working in the trenches or in supporting roles, and all have inspired me as well as others in our field:

]]>https://www.gillware.com/forensics/blog/personal-blogging/shout-amazing-sheroes/feed/0Forensic Case Files: Employee Hard Drive Switcheroohttps://www.gillware.com/forensics/blog/digital-forensics-case-study/employee-exit-hard-drive-switcheroo/
https://www.gillware.com/forensics/blog/digital-forensics-case-study/employee-exit-hard-drive-switcheroo/#respondTue, 16 Jan 2018 15:48:59 +0000https://www.gillware.com/forensics/?p=9261“On the other hand, you have different fingers.” —Steven Wright Transposition magic is a lot of fun to watch. In the blink of an eye, a […]

Sleight-of-hand can delight and entertain… or slip something more sinister past you.

“On the other hand, you have different fingers.”
—Steven Wright

Transposition magic is a lot of fun to watch. In the blink of an eye, a coin, a card, or an animal, disappears and magically transforms into something else with a whimsical hand movement and mysterious command. Two objects can change places with each other. A masterful magician can even appear to transform the object into something else entirely.

When it comes to your company’s data and intellectual property though, no one wants to end up misled. When an employee cleans out their desk and leaves your business and you take the initiative to do your due diligence and conduct an employee exit investigation, the old switcheroo, the bait and switch, and the rickroll are a whole lot less fun.*

*Admit it, you knew precisely where this link was going to go before you clicked it.

Employee Exit Examination

Our client submitted a 320 GB Seagate hard drive to Gillware Digital Forensics as part of an employee exit examination. It’s prudent for businesses to image and archive the disk images from a company-owned computer or mobile device when an employee leaves—and not just for those bitter and acrimonious exits, either. However, in this case, a bitter and acrimonious exit was what had happened.

A mid-sized utility sector company employee had parted with the business under strained circumstances. When they returned their laptop, an HP EliteBook laptop purchased sometime in 2012, IT staff turned it on. Immediately they discovered that the hard drive within seemed to have no operating system to boot into. The company attempted to use off-the-shelf data recovery software to retrieve data from the drive and got absolutely nothing back for their efforts. They suspected that the hard drive had been wiped, and wanted confirmation of this. They came to us asking to determine whether the drive was indeed empty—and if this was the case, what had happened to the hard drive.

We immediately found something that didn’t add up.

During the Gillware Digital Forensics intake process, we always check the details of submitted hard drives. In this case, the manufacture date of the Seagate 320 GB hard drive was July of 2016. Considering that the HP EliteBook computer had been purchased in 2012… Presto Change-o! We had just found an immediate indicator that the hard drive wasn’t original to the laptop.

Our next clues as to what was going on would come from a particular feature of hard drives known as SMART.

We’re SMARTer Than That, Aren’t We?

SMART is a monitoring system for computer hard disk drives (HDDs) and solid-state drives (SSDs) that interacts with the hard drive firmware to detect and report on a variety of indicators of drive health. The SMART area keeps track of (among other things) drive make, model, firmware version and capacity, the number of power cycles, and the amount of start/stops. Many forensic write-blockers read SMART data and report it to the examiner through their hardware interfaces.

SMART is a little piece of hard drive magic. It exists within the Service Area (aka the System Area) of a hard drive. Because the Service Area exists outside the LBA (Logical Block Address) area of a drive, standard ATA (Advanced Technology Attachment) commands don’t reach it. Data in the Service Area is inaccessible to the user and not addressed by most digital forensic imaging/analysis tools, wiping tools, or antivirus scanners.

Voilà! The perfect magician’s cabinet of forensics.

My longtime friend Todd Shipley has studied, tested, and written about System Area phenomena, as well as the illusions many forensic examiners have about the totality of the drive images they make. If you thought you were getting all of the data from the first to the last bit on the drive platter during acquisition, think again! It is entirely possible to hide data in the System Area, not to mention leveraging this hidden area of the drive for malware and data exfiltration ala Equation Group.

Now You See it!

Luckily, nothing so complicated was in play in this case. Using our handy-dandy WiebeTech Forensic Ultradock, we checked the SMART data related to the number of power cycles and start/stop cycles the 320 GB hard drive had undergone in its curiously-short lifetime. With the help of the SMART data, we uncovered a shocking truth. It was nearly brand new!

Forensic Imaging

Next, we created a forensic image of the user addressable area of the hard drive. Nobody had formatted the drive. In fact, it was entirely zero filled. We found no indication that anybody had written any data to the hard drive inside the company’s computer. In fact, we found no indication that this hard drive had ever lived in any other computer. It was an impostor!

Here’s what we knew now:

The hard drive had been manufactured well after the estimated date of manufacture and sale of the laptop.

The new hard drive had no user data on it; in fact, it had never been used.

The conclusion:

The ex-employee under investigation had pilfered the old hard drive and its data and substituted a new, unused hard drive to cover their tracks.

InDuck Dodgers in the 24½th Century, Daffy Duck (playing the part of Duck Dodgers) battles Marvin the Martian in a contest over territorial rights to Planet X. Duck Dodgers claims the planet for Earth after discovering it contains a rare element. Just as Duck Dodgers claims the planet, Marvin the Martian lands and claims it in the name of Mars. A battle for territory ensues that leads to the destruction of Planet X.

If there’s one thing that’s sure to get anybody’s goat, it’s ending up in a battle over your own server. When somebody does something to your computer without your permission, whether it’s as trivial as changing your desktop wallpaper or as serious as installing malware to your server, it’s frustrating. When it happens in a business environment, it can potentially put customer data at risk.

In this case study, our client came to us after they found something disturbing on one of their servers. They had discovered unauthorized Bitcoin mining operations on an isolated server they used for Disaster Recovery testing. Our client also told us they’d been temporarily locked out of their own machine. Their own password wouldn’t work!

The trend of unauthorized cryptocurrency mining is increasingly common. A recent report by Kaspersky estimates that up to 1.65 million machines are affected by malware customized for mining cryptocurrencies such as Bitcoin.

Unauthorized Bitcoin Mining… and More?

Unauthorized Bitcoin mining and other cryptocurrency mining affects computers throughout the world without their owners’ knowledge or consent.

Our client had conducted an internal review once they had identified the compromise before contacting us. The affected server wasn’t a production environment. However, they wanted to ensure that whoever had done this hadn’t compromised any of their client’s data. And they wanted to know the full extent of the problem.

The system had been open to the Internet via RDP (Remote Desktop Protocol), and once our client had found the compromise, they had immediately disabled RDP to prevent future intrusions. It wasn’t clear exactly how the intruders got in, nor what they had done once inside, but our client’s internal review did discover two things of great interest.

Two Intruders

Their internal review discovered two pieces of malware on the machine: FlowSpirit and MinerGate. FlowSpirit, “the Best Traffic Bot Ever Created,” is black-hat “link magnification” freeware. It boosts traffic to websites, increases search engine rankings, and boosts pay-per-click activity by generating artificial website traffic. This bot commonly ends up on a machine as an add-on downloaded during the installation of other free software.

MinerGate is cryptocurrency mining software. It uses spare CPU cycles to generate digital currency for the user. The client’s server was used for Disaster Recovery testing. Obviously, no one, save for the mysterious intruder, intended to use it for web browsing or bitcoin mining. But unfortunately, unauthorized mining of this nature is becoming more common. According to a SecureList report from September 2017, over five thousand computers have had MinerGate installed to them without the user’s knowledge.

The client used malware-scanning software packages to check the server and identified no further cases of malware, but still had further concerns. Our client wanted to know how the unwanted software got onto the machine. They also wondered if their own malware scanning tools had missed something.

A Second Opinion

The client sent an image of their Windows Server 2012 R2 Datacenter environment server to Gillware Digital Forensics for forensic examination. During our initial review of the file system, we found a zipped copy of NLBrute in the Downloads folder for the user “Administrator” right off the bat. Uh-oh! This software tool helps crack Remote Desktop Protocol passwords.

Screenshot of back.bat when run.

Digging a bit deeper, I found two deleted folders containing single text files that had once lived on the Administrator’s desktop. These folders and files had simple names: 1/1.txt and 2/2.txt. I also discovered a folder in the C:\Windows directory called “back,” as well as a file named “back.exe” in the same location. In this case, I found that “back” stood for “back door.”

Batch File Scripting

Screenshot of VPS Tools.bat when run.

Inside the “Back” folder I found several old-school batch files, including one named “back.bat” and another named “VPSTools.bat.”

These batch file scripts contained a lot of interesting functionality. They worked together with another batch file to both brute force VPS and establish a new user. A third batch file would supply a username and password once a successful brute force had occurred. These batch files worked in conjunction with each other to automate a classic sticky keys privilege escalation hack.

VPSTools.bat also contains a more direct clue in the form of the URL within the script, as well as some references to an Iranian hacking team. However, free hacking tools can be shared widely. The origins of a hacking tool do not always indicate who the current attacker is.

Mining for More Artifacts

Review of the registry files, shellbags, jumplists, userassist, and link files revealed additional evidence of bitcoin mining and use of the link magnification software. Fortunately, we found no evidence of any direct attention paid to any of our client’s customer VMs. Windows Event Logs showed several Iranian IP addresses attached to the machine via RDP. We also found evidence of ongoing attempts to brute force an additional target via RDP. These attacks had still been ongoing up until the time the client disabled RDP.

Fortunately, our clients had kept this server completely isolated from their production environment and all other customer data. They also used Pfsense to connect to the internet. As a result, the server was effectively sandboxed. In this case, in fact, it acted as an unintentional honeypot. In all, this intrusion was brief in time, encompassing less than a week of time, and was handled well by the client.

Don’t Underestimate the Vulnerabilities of Virtual Environments

All of this goes to show that in cloud and virtual computing environments, vulnerabilities are still present and compromises can still occur. Unauthorized cryptocurrency mining can happen in virtual environments too, not just physical ones. Far too many people, unfortunately, fall victim to a false assumption about virtual machines. They believe that a virtual environment is less at-risk to various cyber threats than a physical environment. But in truth, a virtual environment has just as many vulnerabilities as a physical one. In a world of ever-sneakier cybercriminals and other ne’er-do-wells, you cannot afford to leave your environments, virtual or otherwise, at risk. Otherwise, you might find yourself in a territory battle with unwanted visitors.

]]>https://www.gillware.com/forensics/blog/digital-forensics-case-study/bitcoin-mining/feed/0Steer Clear of This Aldi Coupon Scamhttps://www.gillware.com/forensics/blog/articles/aldi-coupon-scam-facebook/
https://www.gillware.com/forensics/blog/articles/aldi-coupon-scam-facebook/#respondWed, 08 Nov 2017 16:16:13 +0000https://www.gillware.com/forensics/?p=8982Many people have likely seen this Aldi coupon scam appear on their Facebook news feed by now, and some have attempted to get the coupon. Unfortunately […]

]]>Many people have likely seen this Aldi coupon scam appear on their Facebook news feed by now, and some have attempted to get the coupon. Unfortunately (sorry to burst your bubble, couponers), it’s completely fake, but the coupon post is still gaining a lot of undue traction.

I stumbled across the coupon last morning on my Facebook feed. At Gillware Digital Forensics, Cindy Murphy and I firmly believe in the concept of “forensic addiction,” so I just had to do a little forensic digging to see what was going on here. I could tell right away that the coupon was fake. But I just had to know what the scammer’s motivations were. Were they just trying to farm contact information to later be used to generate sales leads? Were they trying to gain access to user’s Facebook accounts? Or was this ad trying to run some malicious software on the computers of unsuspecting victims who just wanted to save on groceries?

So you don’t have to click it to find out for yourself, here is a screenshot of what the fake Aldi coupon scam looks like on your Facebook timeline:

Here’s what a Facebook share of the fake Aldi coupon looks like.

How to Identify a Fake Coupon

The easiest way to identify this coupon as fake is to look at the web domain that it goes to.

A web domain is a portion of the URL (Web Page Address) that points to a specific web server. In the case of the fake Aldi coupon, the domain is ALDISTORE.US, which can be seen towards the bottom of the post on Facebook. It seems very believable. .US is a common type of domain, although not as common as .com, .org, or .net.

After I determined that the domain of our fake Aldi coupon was ALDISTORE.US, I immediately went to Google and searched for “Aldi”. Typically, when you search for a company, the top result is their actual website.

Google search results for “Aldi”

As you can see in the red box on the screenshot of the Google search results, the domain for Aldi is actually aldi.us, not aldistore.us as our fake coupon would like us to believe. Aldistore.us actually goes to an entirely different web server that is not owned or operated by Aldi!

The Trick Behind Fake Domains

Domains can identify fake emails as well. My email is nlittle@gillware.com, so all emails that I send come from nlittle@gillware.com. If I sent an email to you from nlittle@gillwarerecovery.com, you might think it was actually me, but it’s just someone pretending to be me. This is a very common social engineering technique hackers use to successfully distribute ransomware and other malicious software to individuals and small businesses.

In the simplest form, the domain is just the part before the .com, .org, .net, .us, .biz, .ca, etc. and the first period before that (if it has one). For example:

The ALDISTORE.US Aldi Coupon Scam, Dissected

When you go to aldistore.us, you find yourself presented with a few simple questions about your experiences with Aldi. Then you are presented with two things that you need to do on Facebook. Here on some screenshots of what you would see:

Step 1: Fake Aldi Coupon Question 1

Step 2: Fake Aldi Coupon Question 2

Step 3: Fake Aldi Coupon Question 3

After your finish these 3 questions, you come to a page that gives you two more simple task to do before you can get your coupon:

This page of the coupon form tries to get users to share the fake coupon to spread it further

“Share on Facebook” – This is a legitimate share button, and when you click it, a new window opens and asks you to enter your Facebook username and password to share it. Now, the window that opens has the domain of facebook.com. We know that this is Facebook’s domain name, so it appears to be legitimate. In this case, clicking this link appears to only legitimately share the post on facebook and does not seem to steal any user credentials. However, anytime a fake website asks you to enter credentials to anything, you should never do it!

“Like ALDI.US” – In order to click this button, you have to first click the button from step one. This causes users to keep spreading the post by sharing it before they can “Like Aldi.us”, which they are lead to believe will give them their $40 off coupon. Clicking the “Like ALDI.US” button does not actually like Aldi.us, but instead redirects you to a few different spots. Ultimately, you end up on a website similar to www.onlinepromotionsusa.com showing the image of a gift card. Typically, I imagine the gift card image is an Aldi gift card, but when I attempted the scam, it showed me a Kroger gift card instead.

Here is the page that the Aldi coupon scam takes you to after you click “Like ALDI.US”

What is the Purpose of the Aldi Coupon Scam?

Now, the scam doesn’t seem too great, because it is showing a Kroger gift card when the users are expecting an Aldi gift card, but I have seen variations of this in which it shows an Aldi gift card. At this point, the “Collect 100 Points and get a free gift card” page wants you to answer a few questions (to earn points, ostensibly):

What is your name?

What state do you live in?

What is your email?

What is your date of birth?

Do you plan on purchasing a car in the next 6 months?

Do you take prescription medication?

For every question you answer, you come slightly closer to getting the “100 points” you need to get the fake gift card. Based on the nature of these questions, this scam certainly seems like a way to generate sales leads. Whoever hosts this website likely sells the leads to other companies. If you can collect a few hundred thousand individual’s personal information and sell the data for a few pennies a person, you can quickly make some (probably illegal) extra cash.

What is the Code on the ALDISTORE.US Doing?

The ALDISTORE.US website is a very simple website. The website loads a main index.html file, which is aldistore.us/index.html. This index.html contains a lot of CSS, which creates the look and feel of the webpage. This is what they use, along with the Aldi logo, to try and make it seem more legitimate. In this situation, there did not seem to be any malicious CSS, so I removed all the CSS code from the index.html file I was evaluating for security threats.
The most common security threat on web pages is malicious Javascript. To analyze what javascript the page was running, I looked at any <script> tags inside the HTML file. In this case, we fortunately only found 3 external scripts.

<script src=”http://code.jquery.com/jquery-1.5.1.min.js”></script>

jquery is a very legitimate piece of code, and it used on millions of websites worldwide. jquery.com is legitimate, and this does not download any malicious code.

<script src=”http://geoapi123.appspot.com”></script>

appspot.com is the Google App Engine. This piece of code appears to have once downloaded a script that may try to determine your general location at one time, but I cannot be sure. The URL does not download any Javascript anymore.

This is another legitimate jquery library that is used all over the world.

There are some other uses of jquery here. However, they all seem dedicated to making sure that the site looks believable as possible, including a “live” facebook feed of people “liking and sharing” the post. The live feed is actually just fake data generated by Javascript. It has nothing to do with Facebook.

Final Thoughts on the Aldi Coupon Scam

In conclusion, as far as I can tell after taking a quick glance, the ALDISTORE.US site is not doing anything malicious. However, once an individual clicks the button “Like ALDI.US,” they find themselves redirected to any different number of URLs that begin to farm their data as they fill out forms.

If you clicked on the Aldi coupon scam after one of your friends shared on Facebook, realized it was a scam, and closed the windows without sharing any personal data, you probably have nothing to worry about.

If you went through each step and clicked the “Like ALDI.US” button, the scammers might have farmed some of your data. But compared to recent data leaks, this is nothing to be overly concerned about aside from perhaps a bit more junk mail in your inbox.

In the future, make sure to look at the domain before clicking malicious URLS!